The Healthcare Information Portability and Accountability Act (HIPAA) is primarily used to describe restrictions on the uses and transmission of identifiable health data. While HIPAA does protect the confidentiality of sensitive health information, it was also designed to allow appropriate and necessary sharing of health information. Awareness of key terms and the prohibitions and allowances of HIPAA allows psychiatrists to communicate effectively with their patients and establish systems to both protect and share data as appropriate to facilitate good clinical outcomes. Even if you are not a HIPAA-covered entity, following HIPAA guidelines is good practice to maintain your patients’ privacy and trust.
This is not legal guidance. In addition to federal rules, state, payer, and facility laws and policies may apply to privacy and security practices.
What is HIPAA?
The Healthcare Information Portability and Accountability Act (HIPAA) of 1996 sets national standards for health information uses, disclosures, and protections. The US Department of Health and Human Services (HHS) established privacy and security standards to ensure protected health information (PHI) is lawfully processed and protected by “covered entities.” The HHS Office for Civil Rights (OCR) implements and enforces these rules.
Privacy vs. Security
Privacy and security are both crucial elements to maintaining adherence with HIPAA rules and to maintaining the trust and safety of your patients. The HIPAA Privacy Rule protects identifiable health data and establishes the legal rights of individuals to receive a copy of their health information, while the Security Rule, a subset of the Privacy Rule, protects information a covered entity creates, receives, maintains, or transmits in electronic form. This security rule does not apply to PHI transmitted orally or outside of electronic transmission.
- Covered Entities
- Clinicians, health plans, and clearinghouses who electronically transmit any individually-identifiable PHI (e.g., in an electronic health record; for the purposes of billing, scheduling, or recordkeeping; through delivering telehealth). As a psychiatrist, you are very likely a HIPAA-covered entity unless you see only cash-pay patients physically in your office who you schedule over the phone and maintain paper records and paper prescriptions.
- Business Associates
- A person or business that uses or discloses protected health information on behalf of, or provides services to, a covered entity (e.g., a claims processing contractor, a telehealth or electronic health record platform, a pharmacy benefits manager). A business associate can also be a covered entity. The covered entity must enter into a business associate agreement (BAA) in order to transmit PHI to the third party. APA has developed a template for a Business Associates Agreement available to APA members by logging in here.
- Business Associate Agreement/ Contract
- A contract between a covered entity and a business associate that helps ensure protection of PHI. HHS requires that the business associate use appropriate safeguards to prevent use or disclosure of PHI other than what is indicated in the contract, and these business associates can be audited by HHS.
- Protected Health Information
- Health information that indicates past, present, or future health status or conditions, provision of health care, or payments for health care services and that is either identified or can be used to identify an individual. This includes appointment or scheduling information, electronic payments, and any communication between the covered entity and the patient indicating a treatment relationship or diagnosis.
Key Environmental Considerations
Environmental privacy best practices reduce the likelihood of PHI being physically accessible to those who should not have access. These practices include clinicians maintaining and delivering care from a private space and ensuring the physical security of any records (e.g., locking file cabinets, ensuring devices are in the clinician’s possession at all times). In the case of a telehealth visit, clinicians should notify patients if there is anyone else in the room during the encounter (e.g., a nurse or medical student who may be off-screen) and provide guidance to their patients on the importance of connecting to telehealth visits from a private space and avoiding public settings.
Key Technological Considerations
Technology privacy best practices reduce the likelihood of technological breaches of PHI. Features that can help a HIPAA-covered entity meet compliance requirements include fully encrypted data transmission; security through required passwords and two-factor authentication; secure point-to-point connection; private high-speed network; administrative, physical, and technical safeguards for electronic protected health information (ePHI); audit controls; and breach notification. A BAA is a prerequisite to sharing PHI with others in adherence with HIPAA privacy and security controls.
HIPAA Info for Patients
The HIPAA Privacy Rule permits, but does not require, a covered entity to get permission from patients to utilize PHI for treatment, payment, and health care operations. Covered entities do not need to get re-authorizations from patients after the initial consent for these purposes. There are several examples of treatment, payment, and health care operations (TPO):
- Treatment: PHI is being used to inform the provision, management, and coordination of health care services. This could include all forms of care provision, including medication management and therapeutic interventions.
- Payment: PHI is being used for reimbursement of care or payment for care services. This includes billing, justification for costs, and risk adjustments.
- Health care operations: PHI is used to inform care quality, administrative aspects of care, and financial and legal elements of care.
In contrast to this, HIPAA’s Privacy Rule requires an authorization for uses and disclosures of PHI that are not included within TPO (e.g., disclosing psychotherapy notes to conduct research without institutional IRB, or third party uses). For these cases, covered entities need to obtain authorization from patients whose PHI they would like to use, and must meet the requirements in the section below for a request for authorization. Covered entities may NOT condition treatment or coverage on the individual providing an authorization.
APA has developed templates for a PHI Authorization Form and Notice of Privacy Practice available to APA members by logging in here.
Making Patients' Data Accessible
The Privacy Rule requires covered entities to provide patients, upon request, with access to their PHI in “designated record sets.” This includes the right to a copy of PHI and to direct transmission to a designated person or entity of the patient’s choice. So long as the data is maintained by the covered entity or business associate, the patient has a right to access their stored data. These records must be sent within 30 calendar days of the request.
Some data is excluded from this right to access. This data includes information not used to make decisions about individuals, such as quality assessment or improvement records, patient safety activity records, and business planning records, and information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding. In addition, psychotherapy notes are maintained separately from the rest of a patient’s record, are not required to be shared with the patient like other records, and require patient authorization to be released to anyone. This is because psychotherapy notes are primarily intended for the personal use of the treating mental health clinician.
When requesting access to data, covered entities may require individuals to provide a written request or offer the option to use electronic means to make requests for access. Covered entities are required to provide the individual with access to PHI in the form and format requested unless both agree to an alternative format. Verification requirements should be put in place to verify the identity of those requesting and receiving PHI.
In addition, “information-blocking,” or “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information,” is prohibited.
Patient Informed Consent
Written authorizations, for non-TPO reasons, must specify several key elements:
- A description of the PHI to be used and disclosed.
- The person authorized to make the use or disclosure.
- The entity receiving the data.
- An expiration date for transmission and use of the data.
- The purpose for which the information may be used or disclosed.
Properly Collecting and Storing PHI
The U.S. Department of Health and Human Services (HHS) lays out four specific HIPAA data storage requirements that covered entities and business associates must adhere to:
- Ensure confidentiality, integrity, and availability of all electronic PHI (e-PHI) through encryption, password protection, and other protection measures.
- Identify and protect against reasonably anticipated threats through regular monitoring and risk analysis.
- Protect against reasonably anticipated impermissible use or disclosure with safeguards such as IT security protocols, Identity and Access Management (IAM), restricting physical access, and regular audits of internal processes.
- Ensure compliance by the workforce through regular training and adherence to rules set by HIPAA enforcement officers.
In addition to the storage requirements above, HHS released guidance on HIPAA and cloud computing. The guidance allows for BAAs and covered entities to utilize cloud service providers (CSPs) so long as the cloud service utilized is HIPAA compliant, addressed through assessment and risk analysis. A BAA is necessary to share e-PHI with a CSP, or the CSP themselves may be a covered entity.
Required Audits and Assessments
- Required by HIPAA’s Security rule, this assessment helps covered entities and their business associates identify potential areas for concern within PHI breaches and ensure compliance to HIPAA’s safeguards.
- OCR and the Office of the National Coordinator for Health Information Technology (ONC) developed a downloadable SRA tool to help guide small and medium-sized providers through this process.
- Typically conducted every year to every other year.
This audit from HIPPA Journal covers the two basic requirements of the Privacy Rule: "to protect individually identifiable health information from non-authorized use and disclosure, and to give individuals rights over their PHI." To accomplish this, several sets of standards must be complied with:
- Designate a HIPAA Privacy Officer
- Understand what constitutes PHI
- Permissible Uses and Disclosures
- Procedures for Obtaining Authorizations
- Notices of Privacy Practices
- Procedures for Responding to Requests for Privacy Protection
- Procedures for Responding to Requests for Access, Correction, and Transfer
- Procedures for Maintaining an Accounting of Disclosures
- Workforce Training
This audit from UpGuard focuses on the HITECH Subtitle B provisions that hold business associates to the same standards and regulations of privacy compliance while improving on existing compliance standards. This audit requires organizations to implement policies and procedures regarding breach notification, and require workforce training on these policies.
From telehealth.org, this is an audit of the physical office or facilities where PHI is being stored to help ensure safety of physical PHI.
Asset and Device Audit
This audit requires covered entities to put in place policies related to the security and protection of electronic media and relevant devices. This means that covered entities must make sure they are creating and using clear policies around the devices or electronic systems they use to collect and store PHI. When audited, the auditors will look for established and practiced security policies and protections.
Security Standards Audit
This audit requires covered entities to implement policies and procedures that comply with the Security Rule and it requires organizations to review these policies and procedures each year. Similar to the audit requirements for asset and device audits, this means that covered entities must establish clear guidance and policy around security standards to ensure that PHI is protected in digital spaces. The audit will look for these clear and explicitly stated policies and procedures during the audit process.
HIPAA vs. 42 CFR Part 2
While HIPAA and 42 CFR Part 2 are separate regulations—with 42 CFR Part 2 passed over twenty years prior to the passage of HIPAA—they are often both used to describe data protections in mental health and substance use disorder treatment settings.
42 CFR Part 2 includes regulations that protect patient records created by federally-assisted programs for the treatment of substance use disorders (SUDs). This information is protected separately from HIPAA. and includes federally-funded and run programs or practitioners that take public insurance and “hold themselves out as” SUD treatment providers.
Key differences between 42 CFR Part 2 and HIPAA are:
- HIPAA allows data disclosure without patient consent for treatment, payment, or health care operations, whereas with Part 2, SUD treatment regulations require patient consent or specific exception for this same disclosure.
- HIPAA-covered entities may share PHI if they have a court order or receive a valid subpoena from a party to the litigation requesting medical records. Part 2 requires a specific court order authorizing disclosure of SUD records.